Articles By Topic

By Topic: Data Privacy Litigation

With the recent adoption of statutes by Alabama and South Dakota this year, all 50 states have breach notification laws integrating notification procedures. Arizona, Colorado and Oregon have also recently revised and strengthened their existing data breach notification laws. This article details the provisions of the new statutes and amendments, with insights from McGuireWoods partner Janet P. Peyton. See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

Information about a person’s criminal history remains online long after many serve their time. But in what circumstances must a search engine comply with an individual’s demand to delist those links? That was the central question in the closely watched case of NT1 & NT2 v. Google LLC, the first consideration of the “right to be forgotten” by English courts. Decided on the cusp of the GDPR’s effective date, the High Court used a balancing test from the E.U.’s 2014 Google Spain case. Kelly Hagedorn, a partner in Jenner & Block’s London office, told The Cybersecurity Law Report that the decision was “a very carefully reasoned judgment” that, even in the new regime of the GDPR, would be “a useful reference point for those considering the balancing of the right to erasure and the right to freedom of speech.” See “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

Both the public and private sectors are increasingly using biometric identification as a security method, making it more important than ever to understand the wide range of relevant legal requirements and restrictions. During a recent WilmerHale webinar, firm attorneys Jonathan G. Cedarbaum and Arianna Evers analyzed the regulatory landscape related to the collection and use of biometric data. In the first installment of our two-part series, we cover their presentation on relevant state laws and notable cases, litigation strategies and defenses. Part two will cover applicable federal and international regulations. See also “Actions Under Biometric Privacy Laws Highlight Related Risks” (Dec. 6, 2017).

Data localization is the most contentious issue for privacy regulators and the increasingly data-driven global business community, data privacy professionals said in Hong Kong at the Conference of Data Protection and Privacy Commissioners. Our sister publication PaRR provides insights from Apple and Microsoft executives, as well as Chinese data privacy experts, on the state of “data nationalism” in the global business place. See “The Sword of Damocles in the Information Age: How to Face the New Challenges Under the Chinese Cybersecurity Law” (Jan. 11, 2017).

The Grand Chamber of the European Court of Human Rights has laid out new criteria for national courts to consider when evaluating whether companies have safeguarded employees’ right to privacy. The court sided with an employee who claimed his privacy rights were violated when his messages were recorded. In light of this decision, some companies operating in the 47 member states may want to revisit their policies on monitoring communications, experts told The Cybersecurity Law Report. We analyze the implications of the decision and how it aligns with other national laws. See “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

While the risks of data privacy and data breach litigation are substantial, the legal standards are in flux and may depend on the court and jurisdiction in which the case lies. Lawyers are struggling to keep up, with courts issuing potentially disruptive decisions on a near-monthly basis. During a recent PLI panel, plaintiffs’ lawyer Daniel Girard of Girard Gibbs, discussed the evolving landscape and its strategic implications with Robert Herrington, a Greenberg Traurig shareholder. The types of successful data privacy cases are shifting and each stage of litigation presents companies with strategic choices. The contrasting perspectives provide guidance to both plaintiffs and defendants as they weigh such choices throughout collateral data breach litigation. See also “Minimizing Class Action Risk in Breach Response” (Jun. 8, 2016).

China’s state secrets law is the source of much angst for lawyers. While the concept of protecting state secrets is straightforward – and common to most countries – the breadth and ambiguity of China’s law, and the inconsistent way it is enforced, create unique data privacy challenges for companies operating in the PRC, especially when they are conducting internal investigations that require data to be transferred out of the country. This article, drawing on interviews with a number of attorneys practicing law on the ground in Asia, details six key considerations related to the state secrets laws for companies formulating sensible investigation strategies in China. For our companion article, see “Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016).

California, looked to as a leader in privacy protections as well as breach notification requirements, has passed the California Electronic Communications Privacy Act (CalECPA), a new law that raises the bar for state law enforcement seeking electronic information. Aravind Swaminathan and Marc Shapiro, Orrick partner and associate, respectively, told The Cybersecurity Law Report what CalECPA – which requires state law enforcement officials to secure a warrant before they can access electronic information – means for companies and individuals. See also “Orrick Attorneys Explain California’s New Specific Standards for Breach Notification,” The Cybersecurity Law Report, Vol. 1, No. 15 (October 28, 2015).

Privacy and cybersecurity considerations are currently a key focus of private and public sector organizations, governments and individuals worldwide. Canada is no exception. In fact, although Canada has long been considered a global leader in striking a reasonable balance between the protection of privacy and needs of organizations, in recent years Canada has seen the emergence of unprecedented legal risks in respect of privacy and cybersecurity matters. As Alex Cameron, a partner at Fasken Martineau, explains in a guest article, organizations doing business in Canada (or that process information about Canadians) should take note of the dramatic increase in privacy litigation and class actions in Canada, and the recent introduction of mandatory breach notification, reporting and recordkeeping in Canada. Cameron explains the developments and summarizes recent cases. See also “Canada’s Digital Privacy Act: What Businesses Need to Know,” The Cybersecurity Law Report, Vol. 1, No. 9 (Jul. 29, 2015).

Cybersecurity and privacy issues have catapulted to the forefront of current hot-button legal topics, and companies are taking steps to prevent breaches and satisfy regulators, panelists said at a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute. The moderator and panelists come to cybersecurity and data privacy with different perspectives – plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird. In a panel examining emerging law on corporate cyber liability, they shared their insights on the sources of liability for companies, best practices when collecting personal data, the compliance lessons from government enforcement actions, as well as from shareholder derivative suits and class actions that have followed breaches. Part two of this article series will cover their considerations for settling cybersecurity liability cases.